🌍 DNS & Content Delivery#

Learning Objectives#

Configure Route53 routing policies (simple, weighted, latency, geolocation, failover)
Design CloudFront distribution with custom origins and behaviors
Understand Global Accelerator vs CloudFront
Implement DDoS protection with Shield and WAF

1. Amazon Route53#

1.1 DNS Fundamentals#

Route53 is a highly available and scalable DNS web service.

User types "example.com"
    │
    ▼
┌─────────────────────────────────────────────────────┐
│                DNS Resolution                        │
│                                                      │
│  1. Browser checks cache                             │
│  2. Browser asks OS resolver                         │
│  3. OS asks ISP/Public DNS (8.8.8.8)                │
│  4. Public DNS asks Root DNS Server                  │
│     → "Find .com TLD server"                        │
│  5. Root → TLD (.com) → "Route53 is authoritative" │
│  6. TLD → Route53 → "example.com = 1.2.3.4"         │
│  7. Public DNS caches → Returns to browser           │
│  8. Browser connects to 1.2.3.4                      │
└─────────────────────────────────────────────────────┘

1.2 Route53 Routing Policies#

Policy	Description	Use Case
Simple	Single record, one destination	Basic A/AAAA/CNAME records
Weighted	Distribute % of traffic to each target	A/B testing, canary deployments
Latency	Route to lowest latency region	Global user base
Geolocation	Route based on user’s location	Regional content restrictions
Geo-proximity	Route based on distance + bias	Traffic shift between regions
Failover	Active-passive DR	Primary → Secondary (health check)
Multi-Value	Return multiple healthy IPs	Simple load balancing

Example: Weighted Routing

example.com
├── us-east-1 ALB (weight 70) → 70% traffic
└── eu-west-1 ALB (weight 30) → 30% traffic

Example: Latency Routing

┌──────────┐     ┌──────────┐     ┌──────────┐
│ User in  │     │ User in  │     │ User in  │
│ US       │     │ Europe   │     │ Asia     │
└────┬─────┘     └────┬─────┘     └────┬─────┘
     │                │                │
     ▼                ▼                ▼
┌──────────┐     ┌──────────┐     ┌──────────┐
│ us-east-1│     │ eu-west-1│     │ ap-south │
│ ALB      │     │ ALB      │     │ -1 ALB   │
└──────────┘     └──────────┘     └──────────┘

1.3 Health Checks & Failover#

┌──────────────────────────┐
│      Route53 Health      │
│      Check (15 sec)      │
└────┬─────────────────────┘
     │
     ├── Healthy: → Primary endpoint
     │
     └── 3 consecutive failures: → Failover to secondary

# Create health check
aws route53 create-health-check \
  --caller-reference "web-alb-$(date +%s)" \
  --health-check-config '{"Type": "HTTPS",
    "FullyQualifiedDomainName": "myapp.example.com", "Port": 443, "RequestInterval": 30, "FailureThreshold": 3, "EnableSNI": true }'

# Create failover record
aws route53 change-resource-record-sets \
  --hosted-zone-id ZONE_ID \
  --change-batch '{"Changes": [
      {
        "Action": "UPSERT",
        "ResourceRecordSet": {
          "Name": "app.example.com",
          "Type": "A",
          "SetIdentifier": "primary",
          "Failover": "PRIMARY",
          "HealthCheckId": "abc123", "AliasTarget": { "HostedZoneId": "ALB_ZONE_ID", "DNSName": "my-alb-123.elb.amazonaws.com", "EvaluateTargetHealth": true }
        }
      },
      {"Action": "UPSERT",
        "ResourceRecordSet": {
          "Name": "app.example.com",
          "Type": "A",
          "SetIdentifier": "secondary",
          "Failover": "SECONDARY", "AliasTarget": { "HostedZoneId": "ALB_ZONE_ID", "DNSName": "dr-alb-456.elb.amazonaws.com", "EvaluateTargetHealth": true }
        }
      }
    ]
  }'

⚡ Exam Tip: Route53 cannot route to on-premises IPs behind an NLB (unless they’re registered as targets). Use health checks to monitor endpoints.

2. Amazon CloudFront#

2.1 CloudFront Architecture#

CloudFront is a global content delivery network (CDN) that accelerates static and dynamic content delivery.

                      ┌──────────────────────────────────┐
                      │      AWS Global Network           │
                      │                                   │
User (Tokyo) ────────>│  Edge Location (Tokyo)            │
                      │      │                            │
                      │      ▼ (cache miss)               │
                      │  Regional Edge Cache              │
                      │      │                            │
                      │      ▼ (cache miss)               │
                      │  Origin (us-east-1 S3/ALB)       │
                      └──────────────────────────────────┘

2.2 CloudFront Origins#

Origin Type	Use Case	Example
S3 Bucket	Static content (images, CSS, JS, downloads)	Website assets
ALB/EC2	Dynamic content (APIs, web apps)	Application backend
Custom HTTP	Any HTTP server (on-premises, other cloud)	Legacy systems
S3 + OAI	Restrict S3 access to CloudFront only	Private content

2.3 CloudFront Behaviors#

Route different URL patterns to different origins:

Distribution: d123.cloudfront.net
├── /api/* → ALB (dynamic)
├── /images/* → S3 (static, TTL 30 days)
├── /* → S3 (static, TTL 7 days)
└── /secure/* → ALB (requires signed URLs)

2.4 CloudFront Security#

Origin Access Control (OAC):

# Create OAC (replaces legacy OAI)
aws cloudfront create-origin-access-control \
  --origin-access-control-config '{"Name": "my-oac", "Description": "Restrict S3 to CloudFront only", "SigningProtocol": "sigv4", "SigningBehavior": "always" }'

Signed URLs vs Signed Cookies:

Feature	Signed URLs	Signed Cookies
Scope	Single file	Multiple files/folders
Type	Per-URL access	Session-based access
Use case	Paid content, one-time downloads	Streaming, subscription access

Geo-Restriction:

Allowlist: Only users from specified countries
Blocklist: Block users from specified countries

2.5 Lambda@Edge & CloudFront Functions#

Run code at Edge Locations for low latency:

Feature	CloudFront Functions	Lambda@Edge
Runtime	JavaScript	Node.js, Python
Execution time	< 1 ms	Up to 30 sec
Use case	URL rewrites, header manipulation	Complex auth, DB queries
Scale	Millions of requests/sec	Thousands/sec
Viewer request/response	Yes	Yes
Origin request/response	No	Yes

3. AWS Global Accelerator#

Improve performance and reliability of global applications using AWS global network:

Feature	CloudFront	Global Accelerator
Purpose	Content delivery (CDN)	Network performance
Layer	7 (HTTP/HTTPS)	4 (TCP/UDP)
Protocols	HTTP, HTTPS, WebSocket	TCP, UDP (any port)
Caching	Yes (edge caching)	No (pass-through)
Static IP	No (uses Anycast)	Yes (2 static IPs)
Use Case	Static + dynamic content	HTTP APIs, gaming, VoIP

# Create Global Accelerator
aws globalaccelerator create-accelerator \
  --name my-app-accelerator \
  --ip-address-type IPV4

# Create endpoint group (points to ALB)
aws globalaccelerator create-endpoint-group \
  --endpoint-group-region us-east-1 \
  --listener-arn arn:aws:globalaccelerator:...:listener/abc \
  --endpoint-configurations '[
    {"EndpointId": "arn:aws:elasticloadbalancing:us-east-1:...:loadbalancer/app/my-alb/abc"}
  ]'

4. AWS WAF & Shield#

4.1 AWS WAF (Web Application Firewall)#

Protects web applications from common exploits:

# Create WAF ACL
aws wafv2 create-web-acl \
  --name app-waf \
  --scope REGIONAL \
  --default-action '{"Allow": {}}' \
  --rules '[
    {"Name": "AWS-AWSManagedRulesCommonRuleSet", "Priority": 0, "Statement": {"ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesCommonRuleSet" }},
      "OverrideAction": {"None": {}},
      "VisibilityConfig": {"SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "awsCommonRules" }
    },
    {"Name": "rate-limit", "Priority": 1, "Statement": {"RateBasedStatement": { "Limit": 2000, "AggregateKeyType": "IP" }},
      "Action": {"Block": {}},
      "VisibilityConfig": {"SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "rateLimit" }
    }
  ]'

Managed Rule Groups:

Common Rule Set — SQL injection, XSS, path traversal
IP Reputation — Block known malicious IPs
Anonymous IP — Block Tor, VPN, proxy traffic

4.2 AWS Shield#

Tier	Protection	Cost
Shield Standard	L3/L4 DDoS (SYN/UDP floods)	Free (automatic)
Shield Advanced	L7 DDoS, WAF integration, DDoS cost protection	$3,000/month

5. Real-World Use Cases#

Use Case 1: Global E-Commerce Platform with Multi-Region Failover#

Scenario: An e-commerce platform serves customers worldwide. They need < 100ms page load times, must survive a full region outage, and want to A/B test new features.

Solution:

graph TD
    User["User"] --> R53["Route53\nLatency-based"]
    
    subgraph PrimaryReg["Primary: us-east-1"]
        CF1["CloudFront"] --> WAF1["WAF"] --> ALB1["ALB"] --> ASG1["EC2 ASG"]
    end
    
    subgraph DRReg["DR: eu-west-1"]
        CF2["CloudFront"] --> WAF2["WAF"] --> ALB2["ALB"] --> ASG2["EC2 ASG"]
    end
    
    R53 -->|Primary| PrimaryReg
    R53 -.->|Failover
        if health check fails| DRReg
    
    ASG1 --> RDS_PRI["RDS Primary\nus-east-1"]
    ASG2 --> RDS_REP["RDS Read Replica\neu-west-1"]
    RDS_PRI -.->|Cross-region
        replication| RDS_REP
    
    subgraph Canary["Canary Deployment"]
        R53W["Route53\nWeighted: v1=90%, v2=10%"]
    end

How it works:

Route53 latency-based routing sends users to the nearest healthy region
CloudFront caches static assets at 400+ Edge Locations globally
WAF blocks SQL injection, XSS, and DDoS at the edge
Route53 failover with health checks detects region downtime and shifts traffic
Weighted routing for canary deployments — send 10% of traffic to new version

Scenario: A video hosting platform lets users upload private videos and share them with specific people for 24 hours.

Solution:

sequenceDiagram
    participant Owner as Content Owner
    participant App as Web App
    participant API as API Gateway
    participant Lambda
    participant S3 as S3 Bucket
    participant CF as CloudFront
    participant Viewer as Shared Viewer
    
    Owner->>App: Upload video
    App->>Lambda: Request upload URL
    Lambda->>S3: Generate pre-signed PUT URL
    S3->>Owner: Pre-signed URL (valid 1hr)
    Owner->>S3: Upload video directly
    
    Note over App,Viewer: Share workflow
    App->>Lambda: Share video with friend@email.com
    Lambda->>S3: Generate pre-signed GET URL
    S3->>Lambda: URL (valid 24hr)
    Lambda->>App: Return shareable link
    App->>Viewer: Email link to viewer
    Viewer->>CF: Request video via CloudFront
    CF->>S3: Validate signed URL/OAC
    S3->>CF: Serve video
    CF->>Viewer: Stream video

Why this works:

Pre-signed URLs provide time-limited, permission-scoped access without AWS credentials
CloudFront + OAC ensures content is only accessible through CloudFront, not directly from S3
No IAM users needed for viewers — they only need the URL
Automatic expiration — links stop working after the set time

Use Case 3: SaaS Multi-Tenant API with Rate Limiting#

Scenario: A SaaS API needs to enforce different rate limits per customer tier (Free: 10 req/s, Pro: 100 req/s, Enterprise: 1000 req/s) and block malicious traffic.

Solution: CloudFront + WAF Rate Limiting + API Gateway Usage Plans

Component	Purpose
CloudFront	Edge caching, DDoS protection, geo-restriction
WAF Rate-Based Rules	Per-IP rate limiting (2000 req/5min per IP)
WAF IP Sets	Allowlist enterprise customers’ static IPs
API Gateway Usage Plans	API key-based throttling per customer
Lambda@Edge	Custom header inspection for API keys

graph LR
    User["User"] --> CF["CloudFront\nEdge Cache"]
    CF --> WAF["AWS WAF\nRate Limit: 2000/5min\nGeo-block: High-risk countries"]
    WAF --> APIGW["API Gateway\nUsage Plan: Pro=100 req/s\nAPI Key Validation"]
    APIGW --> Lambda["Lambda\nBusiness Logic"]
    Lambda --> DDB["DynamoDB"]

Takeaway: Layered rate limiting at CloudFront (edge), WAF (network), and API Gateway (application) provides defense in depth. Shield Advanced adds DDoS cost protection for enterprise customers.

Use Case 4: Blue/Green Migration with Route53 Weighted Routing#

Scenario: Migrate from an existing on-premises application to AWS with zero downtime. Test the new infrastructure with 5% traffic before full cutover.

Solution:

# Phase 1: Route 5% traffic to new infrastructure
aws route53 change-resource-record-sets \
  --hosted-zone-id ZONE_ID \
  --change-batch '{"Changes": [{
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "app.example.com",
        "Type": "A",
        "SetIdentifier": "on-prem",
        "Weight": 95, "AliasTarget": { "HostedZoneId": "ONPREM_ZONE_ID", "DNSName": "on-prem-lb.example.com", "EvaluateTargetHealth": true }
      }
    }, {"Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "app.example.com",
        "Type": "A",
        "SetIdentifier": "aws",
        "Weight": 5, "AliasTarget": { "HostedZoneId": "ALB_ZONE_ID", "DNSName": "new-alb-123.elb.amazonaws.com", "EvaluateTargetHealth": true }
      }
    }]
  }'

# Phase 2: Monitor, validate then shift to 100%
# Phase 3: Remove old record

Takeaway: Weighted routing enables incremental migration with instant rollback. Combine with health checks to auto-stop traffic if new infrastructure fails.

6. ⚡ Exam Tips#

Alias Records — Route53 to AWS resources (ALB, CloudFront, S3) free of charge
CNAME vs Alias — CNAME can’t point to zone apex (example.com). Alias can
CloudFront + S3 — Use OAC/OAI to restrict S3 access to CloudFront only
Geo-restriction — Block/allow by country (CloudFront). Not for content licensing enforcement
Global Accelerator — 2 static IPs, Anycast to edge, then AWS global network to destination
WAF — Protect ALB, CloudFront, API Gateway. Not EC2 directly
Shield Advanced — $3K/mo, includes DDoS cost protection + WAF
Lambda@Edge — Only Node.js and Python. Functions = JS only

7. ✅ Chapter Quiz#

Which Route53 routing policy is best for A/B testing different versions of an app?
- A) Simple
- B) Weighted
- C) Failover
- D) Geolocation
Which CloudFront feature allows restricting access to specific files per user?
- A) Geo-restriction
- B) OAC
- C) Signed URLs
- D) WAF
What is the maximum execution time for CloudFront Functions?
- A) 1 ms
- B) 5 ms
- C) 30 ms
- D) 100 ms
How many static IPs does Global Accelerator provide?
- A) 1
- B) 2
- C) 4
- D) As many as you need
What is the cost of AWS Shield Advanced per month?
- A) Free
- B) $300
- C) $3,000
- D) $30,000
A CloudFront distribution uses an S3 origin. How can access be restricted to CloudFront only?
- A) S3 bucket policy allowing only CloudFront IP ranges
- B) Origin Access Control (OAC) with an S3 bucket policy denying all except CloudFront
- C) Pre-signed URLs on all S3 objects
- D) S3 Block Public Access only
A company uses Route53 weighted routing to send 10% of traffic to a new app version. A critical bug is found. What is the quickest way to stop traffic to the new version?
- A) Delete the weighted record for the new version
- B) Set the weight of the new version to 0
- C) Change the health check to unhealthy
- D) Update DNS TTL to 60 seconds
A media company needs to provide time-limited access to premium video content through CloudFront. Each user should have a unique URL. Which approach should be used?
- A) Geo-restriction with allowlist
- B) Signed URLs generated by the application
- C) WAF IP set rules
- D) CloudFront Functions for authentication
A company needs both example.com and www.example.com to point to an ALB using Route53. Which records should be created?
- A) A CNAME for example.com and a CNAME for www.example.com
- B) An A alias record for example.com and an A alias record for www.example.com, both pointing to the ALB
- C) An A record for example.com and a CNAME for www.example.com
- D) A CNAME for example.com and an A record for www.example.com
A CloudFront distribution serves dynamic API responses from an ALB origin. The responses vary per user and must not be cached. How should this be configured?
- A) Set TTL to 0 and use a cache policy that does not cache
- B) Disable CloudFront caching globally
- C) Use Lambda@Edge to prevent caching
- D) Set minimum TTL to 86,400 seconds
Asian users experience 2-second latency to a CloudFront distribution whose origin is in us-east-1, while European users experience 50 ms. What is the MOST likely reason?
- A) CloudFront has no edge locations in Asia
- B) The content is dynamic and requires an origin fetch, which is far from Asian users
- C) The ALB origin lacks cross-zone load balancing
- D) CloudFront is not configured for Asian regions
A Route53 health check monitors an endpoint and fails over to a secondary region after 3 consecutive 5xx errors. What routing policy is required?
- A) Failover routing policy with health check on the primary
- B) Latency routing with health checks
- C) Weighted routing with health checks
- D) Multi-Value routing with health checks
A financial application needs static IP addresses for partner firewall allowlisting. The application runs on an ALB in us-east-1. Which solution provides fixed static IPs?
- A) Route53 A record pointing to the ALB DNS name
- B) AWS Global Accelerator with the ALB as endpoint
- C) Elastic IPs attached to the ALB
- D) CloudFront with the ALB as origin
A CloudFront distribution needs to route /images/ to S3 and /api/ to an ALB. How is this configured?**
- A) Multiple CloudFront distributions, one per origin
- B) Multiple cache behaviors with path pattern routing
- C) Lambda@Edge for origin selection
- D) Origin groups with failover
Route53 geolocation routing is configured for France (eu-west-1) and Germany (eu-central-1). What happens when a user connects from Switzerland with no specific rule?
- A) DNS resolution error
- B) Routed to the default record if configured
- C) Routed to the geographically closest region
- D) Routed randomly among all regions
Static CSS files use versioned filenames (styles.a1b2c3.css) for cache busting. What TTL strategy is BEST for CloudFront?
- A) TTL of 0 seconds
- B) Long TTL (e.g., 1 year) via Cache-Control max-age headers
- C) TTL based on file size
- D) Use CloudFront Functions to set TTL per request
A URL rewriting function at the edge must complete in under 50 microseconds and handle millions of requests per second. Which service should be used?
- A) Lambda@Edge
- B) CloudFront Functions
- C) Either works equally
- D) CloudFront Functions with Lambda@Edge fallback
An NLB in a private subnet needs a static IP for partner allowlisting. How can this be achieved?
- A) Assign an Elastic IP to the NLB
- B) NLB automatically provides one static IP per AZ
- C) Associate the NLB with Global Accelerator only
- D) Use an ALB instead with an Elastic IP
A web application behind CloudFront needs protection from layer 7 DDoS attacks. Which combination is MOST effective?
- A) Shield Standard + Security Groups
- B) AWS WAF rate-based rules + Shield Advanced
- C) Network ACLs + Shield Standard
- D) WAF only
A company has two data center IPs and wants Route53 to return both and perform health checks. Which routing policy should be used?
- A) Simple routing with multiple values
- B) Multi-Value routing
- C) Weighted routing
- D) Geolocation routing
What is the advantage of CloudFront signed cookies over signed URLs for a premium video subscription service?
- A) Cookies provide better encryption
- B) A single signed cookie grants access to multiple files in a session
- C) Cookies work with any origin type
- D) Cookies never expire
Route53 failover routing is configured with a health check. After the health check fails for the FailureThreshold, when do clients begin using the secondary endpoint?
- A) Immediately
- B) After the DNS TTL expires on the client’s cached records
- C) After the secondary health check passes
- D) At the next Route53 zone file update
A company needs CloudFront to serve sensitive documents from S3 with user authentication through the application. Which approach is MOST secure?
- A) Public S3 bucket with CloudFront geo-restriction
- B) CloudFront signed URLs + OAC restricting S3 to CloudFront only
- C) CloudFront with WAF IP restriction
- D) Pre-signed S3 URLs served directly from S3
A global multiplayer game uses UDP and needs static IPs for client configuration. Which AWS service should handle global traffic routing?
- A) CloudFront
- B) Global Accelerator
- C) Route53 latency-based routing
- D) ALB cross-region
An ALB origin behind CloudFront must reject direct traffic that bypasses CloudFront. What is the correct configuration?
- A) ALB security group allowing CloudFront IP ranges only
- B) ALB security group referencing the CloudFront managed prefix list
- C) WAF on ALB blocking non-CloudFront traffic
- D) Network ACL filtering on CloudFront IPs only

📝 Answer Key

B — Weighted routing distributes traffic percentages (e.g., 10% new version, 90% old).
C — Signed URLs provide per-file, per-user temporary access.
A — CloudFront Functions must complete in < 1 ms (sub-millisecond).
B — Global Accelerator provides 2 static Anycast IPs.
C — Shield Advanced costs $3,000/month.
B — OAC uses IAM to authenticate CloudFront to S3. Combined with a bucket policy denying all non-CloudFront access, it ensures exclusive CloudFront access.
B — Setting weight to 0 immediately stops traffic without deleting the record, allowing easy re-enablement.
B — Signed URLs provide per-user, time-limited access to individual files through CloudFront.
B — Route53 alias records work at both the zone apex and subdomains, unlike CNAMEs which cannot be used at the apex.
A — For dynamic uncached content, set TTL to 0 with an appropriate cache policy. CloudFront still proxies requests without caching.
B — Dynamic content requires an origin fetch; latency reflects the round-trip distance between the edge location and origin.
A — Failover routing policy with a health check on the primary automatically switches to secondary after the failure threshold is met.
B — Global Accelerator provides 2 static Anycast IPs that route through the AWS global network to the ALB.
B — CloudFront cache behaviors use path patterns (e.g., /images/, /api/) to route to different origins.
B — Geolocation routing falls back to a default record if no specific rule matches the user’s location. No default results in a DNS error.
B — Versioned filenames mean content never changes at the same URL. A very long TTL maximizes edge caching.
B — CloudFront Functions execute in < 1 ms and handle millions of requests/sec. Lambda@Edge has higher latency.
B — NLB automatically provides one static IP per subnet (AZ) that remains stable for the NLB’s lifetime.
B — WAF rate-based rules block excessive requests from single IPs. Shield Advanced adds enhanced DDoS protection and cost protection.
B — Multi-Value routing returns up to 8 healthy records per DNS query and supports health checks per record.
B — Signed cookies grant access to multiple files/folders in a session, ideal for subscription-based access to a content library.
B — Route53 returns the secondary record, but clients using cached DNS (based on TTL) continue to resolve to the primary until their cache expires.
B — Signed URLs provide per-user access control, and OAC ensures S3 is only accessible through CloudFront for defense in depth.
B — Global Accelerator handles TCP/UDP at Layer 4, provides static IPs, and uses the AWS global network for optimal routing.
B — The CloudFront managed prefix list (com.amazonaws.global.cloudfront.origin-facing) in the ALB security group restricts access to CloudFront only.

📚 Additional Resources#

Next → Application Integration

🌍 DNS & Content Delivery#

Learning Objectives#

1. Amazon Route53#

1.1 DNS Fundamentals#

1.2 Route53 Routing Policies#

1.3 Health Checks & Failover#

2. Amazon CloudFront#

2.1 CloudFront Architecture#

2.2 CloudFront Origins#

2.3 CloudFront Behaviors#

2.4 CloudFront Security#

2.5 Lambda@Edge & CloudFront Functions#

3. AWS Global Accelerator#

4. AWS WAF & Shield#

4.1 AWS WAF (Web Application Firewall)#

4.2 AWS Shield#

5. Real-World Use Cases#

Use Case 1: Global E-Commerce Platform with Multi-Region Failover#

Use Case 2: Secure Media Sharing with Pre-Signed URLs#

Use Case 3: SaaS Multi-Tenant API with Rate Limiting#

Use Case 4: Blue/Green Migration with Route53 Weighted Routing#

6. ⚡ Exam Tips#

7. ✅ Chapter Quiz#

📚 Additional Resources#